Group Deploy Keys
Problem to solve
You need to add a deploy key to every project manually in order to use GitLab CI with the same deploy keys across projects. This is so the runner will get permission to clone/fetch other repositories that are internal or private.
This is not very effective, especially if you need to update your key or add a new one.
Intended users
Everyone working with GitLab CI and using the repo tool:
User experience goal
- The user should be able to configure deploy keys on the group level so they will be accessible in any child project. - Users should find it easy to locate the group deploy keys in a group.
- Ideally, users should be knowledgable about group deploy keys when being in a project context
Proposal
- Add a menu option
Repository
under the group sidebarSettings
menu - Add a section
Deploy keys
- Group Deploy keys allow read-only or read-write (if enabled) access to your project repositories within the group.
- Note Group deploy keys do not support protected branches unless #30769 (comment 337230547) is implemented.
- Deploy keys can be used for access to environments. You can create a group deploy key or add an existing one.
- Note Group deploy keys do not support protected environments unless #223748 is implemented
- Project deploy keys are unique within the same instance. This means they can't be both be added in User settings > SSH keys and in a group's or project's deploy keys section.
- This is shown with an error message similar as for project deploy keys (depicted at #14729 (comment 387842401))
- Group deploy keys inherit the same read/write access given to the key to the entire group.
- Group deploy keys are shown the same way as instance level deploy keys within a project's deploy keys context.
Deploy keys
section:
UI layout of Similar to the project settings section at /settings/repository
to begin with. This should ideally be moved to a similar creation flow as variables with a modal containing the creation flow.
#### Deploy Keys
Deploy keys allow read-only or read-write (if enabled) access to your group's repositories. Deploy keys can be used for CI, staging, or production servers. You can create a deploy key or add an existing one.
Create a new deploy key for this group.
Title
[FIELD]
Key
[FIELD]
Paste a machine public key here. Read more about how to generate it [here](https://gitlab.com/help/ssh/README).
* [ ] Write access allowed
Allow this key to push to __all of this group's repositories__ as well? (Default only allows pull access.)
Deploy keys table:
[TAB][Enabled deploy keys][NUM] [TAB][Privately accessible deploy keys][NUM] [TAB][Publicly accessible deploy keys][NUM]
[HEADER][Deploy key] [HEADER][Project usage] [HEADER][Created]
[ROW]{Title}{Fingerprint} [BADGE per Project]{Project reference}{Access level icon} [Date]{icon:calendar}{time ago} [ACTIONS]{Enable}{Disable}{Remove}{Edit}
Further details
Permissions and Security
Everyone who has access to Group > Settings > CI / CD should be able to add Group Deploy Keys/Tokens.
-
Add expected impact to Maintainer (40) members -
Add expected impact to Owner (50) members
Documentation
Availability & Testing
What does success look like, and how can we measure that?
What is the type of buyer?
Core or Starter